Throttle 5 million P2P users with $800K DPI monster

Procera Networks will announce today a new standard in deep packet inspection (DPI) gear: an 80Gbps monster called the PacketLogic PL10000 that is targeted at tier-1 network operators. At up to $800,000 a unit, these aren't cheap, but when you want to throttle, inspect, and shape traffic in real-time on a major network, this is now the fastest thing on the market (and by a large margin).

Procera's appliances all run the same software, so the difference between them is in the interfaces and the number of racks the units take up. The PL10000, the company's top-of-the-line offering and provides 5 10Gbps channels and 9 1Gbps channels in a 12 rack unit. It can handle 80Gbps of total speed, but most ISPs will want to keep an eye on traffic moving in both directions, bringing this down to 40Gbps each way.

The PL10000 can handle up to 5 million subscribers and can track 48 million real-time data flows. That's certainly a potent piece of hardware, but larger ISPs will need more. That's why Procera designed the new machines with full support for synchronizing traffic flows where return traffic might be routed to a different PacketLogic machine. The machine receiving the return traffic can make the machine monitoring the outbound traffic aware that it sees the other half of a TCP/IP conversation, for example, giving the devices more accuracy than those which might only have access to one side. The capability also incurs overhead of only 2-6 percent, far better than the 25 or 50 percent sometimes seen in competing products.

The PL10000

DPI gear in general is astonishing technology, able to drill down to the packet level in real time, but the PL10000 can do this at 80Gbps with 96 percent accuracy. But how does it fare with P2P content, especially when it's encrypted? This is one of the key issues for ISPs using DPI gear as a less-expensive alternative to increasing capacity. I spoke James Brear, Procera's CEO, and Jon Lindén, the VP of Product Management, about the issue. While they did not break out specific accuracy numbers on P2P, they indicated that Procera was quite good even at sniffing out encrypted P2P traffic.

Breaking such encryption in real-time isn't currently possible, nor is it desirable from a privacy perspective, but Procera doesn't need to; most P2P protocols can be detected simply by analyzing header information, handshake peculiarities, or the way in which a particular application exchanges encryption keys. Such telltale traces can give away various kinds of encrypted traffic, and while the information within remains secure, the entire flow can be shaped or blocked if desired by the ISP. (Note that this alone isn't enough to filter copyrighted content, but it can put the kibosh on entire protocols that might be heavily used for copyright infringement.)

But Brear and Lindén made the case that this shouldn't be seen as a looming consumer nightmare, nor should it be seen as having anything to do with network neutrality. In their view, DPI is a competitive tool for ISPs in several ways. First, it allows ISPs to set charge for "services" like faster VoIP or gaming. Second, it can speed up the network by shaping P2P and other high-bandwidth applications at peak times, or enforce user quotas and bandwidth limits. Finally, DPI can be a security tool that gives ISPs a way to shut down DDoS attacks and viruses propagating through the network.

In Procera's ideal world, your grandma in Poughkeepsie should pay less to use only e-mail and the Web than you do to access e-mail, the Web, P2P, VoIP, and online gaming. A "big dumb pipe" approach this is not. In fact, as Procera make clear in press materials, "Adding capacity is not the answer!" to ISP bandwidth problems.

So long as it is consumers making the decisions about what services to purchase, though, neither Brear nor Lindén see any network neutrality issues arising from the use of such gear.

Despite the whiff of controversy that still surrounds DPI gear (on grounds of both privacy and neutrality), the technology has become increasingly common at major ISPs. Sweden's Com Hem, the largest cable operator in Scandanavia, has just upgraded to the PL10000. Jens Persson, VP of R&D for the company, said that "DPI has become a critical element in our network and enables us to offer our customers the best possible service." US ISPs are generally less interested in speaking publicly about their use of such gear, but many appear to use it.

While tools like those from Sandvine have gained public notoriety due to Comcast's use of DPI to interfere with P2P uploads, 80Gbps is an entirely new level of speed. And because the PL10000 doesn't use custom ASICs to get the job done, protocol identifications can be updated in software just as fast as Procera can issue them. P2P coders, in particular, are likely to put this updating capacity to the test, doing whatever they can to avoid detection. Who will win the game of cat-and-mouse remains to be seen, but Procera's execs sound confident in their ability to identify at least the top applications on a consistent basis.